Skills
skills/build000r/skills/swimmers-sprite/Gen Agent Trust Hub

swimmers-sprite

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/generate-logo-pack.js dynamically generates a Python script string and executes it via spawnSync('python3', ['-c', pyScript, ...]). This method of runtime code generation and execution is used to perform image processing with the Pillow library.\n- [COMMAND_EXECUTION]: The scripts/generate-logo-pack.js script is vulnerable to injection attacks because it fails to sanitize the --name input argument. This value is directly interpolated into the aria-label and title attributes of the resulting SVG files, allowing an attacker to inject malicious SVG content or scripts that would execute if the SVG is rendered in a web browser.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 08:11 PM